Attacking and fixing the Microsoft Windows Kerberos Login Service
We implemented and tested a recent attack tecnique, also called “pass-the-ticket”, on various real Kerberos implementations. The attack allows a malicious user to physically login on a target host in a Kerberos-based network, under the assumption that he knows a valid user principal and has the ability to manipulate network traffic. Our research shows that all recent versions of the Microsoft Windows operating systems are vulnerable to the attack.
We discuss here some of the most known kerberos weaknesses, and give a detailed description of the pass-the-ticket tecnique, with a possible fix (already successfully implemented in the MIT Kerberos software). The simple tool used to reproduce two of the described tecniques is also included below (requires Python + Scapy)
Little library needed to bind some Kerberos API functions to python
The tool which reproduces the KDC spoofing and “Pass-the-ticket” attacks
Links to the original papers describing the vulnerability, by E. Bouillon:
BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-whitepaper.pdf
PacSec08_Bouillon.ppt
08-18-2010 UPDATE:
Google Docs mirror for everything: Paper, kdcreplay, Krb5Crypto
10-27-2010 UPDATE:
kdcreplay.py revision, with a more exhaustive readme (you’d better read it): kdcreplay
also Google Docs mirror here: kdcreplay
6 thoughts on “Kerberos Login Service”
Comments are closed.